Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I combine my two searches to get expected results?

Joshua
Explorer
‎05-23-2016 05:01 AM

Hi,

Can someone help me?
I have the searches below and need to be combine the two to display the expected results:

    LastWKTotal ThisWKTotal Difference
ABC         
DEF         
GHI         
.

Searches:

index=xxx host=xxx sourcetype=ABC* Agent_NumberOfAgents=* earliest=-14d@d latest=-7d@d | dedup host | stats sum(Agent_NumberOfAgents) as LastWKTotal | appendcols [search index=XXX host=xxx sourcetype=ABC* Agent_NumberOfAgents=* earliest=-7d@d latest=now | dedup host | stats sum(Agent_NumberOfAgents) as ThisWKTotal] | eval Platform="ABC" | eval Difference=ThisWKTotal-LastWKTotal

and 

index=XXX host=XXX sourcetype=ABC* Agent_NumberOfAgents=* earliest=-14d@d latest=-7d@d | dedup host | stats sum(Agent_NumberOfAgents) as LastWKTotal | appendcols [search index=XXX host=XXX sourcetype=ABC* Agent_NumberOfAgents=* earliest=-7d@d latest=now | dedup host | stats sum(Agent_NumberOfAgents) as ThisWKTotal ] | eval Platform="DEF" | eval Difference=ThisWKTotal-LastWKTotal

Thanks in Advance

0 Karma
Reply

somesoni2
Revered Legend
‎05-23-2016 09:05 AM

Give this a try

index=xxx host=xxx (sourcetype=ABC* OR sourcetype=DEF*) Agent_NumberOfAgents=* earliest=-14d@d latest=now 
| eval Platform=if(like(sourcetype,"ABC%"),"ABC","DEF") 
| eval week=if(_time>=relative_time(now(),"-7d@d"),"ThisWKTotal","LastWKTotal") 
| dedup week Platform host 
| chart sum(Agent_NumberOfAgents) over Platform by week | eval Difference=ThisWKTotal-LastWKTotal
0 Karma
Reply

gabriel_vasseur
Contributor
‎05-23-2016 06:41 AM

If I understand what you mean, you just want to daisy-chain results from different searches... you should be able to do that simply with:

<INSERT_FIRST_SEARCH_HERE> | append [ search <INSERT_SECOND_SEARCH_HERE> ] | append [ search <INSERT_THIRD_SEARCH_HERE> ]

Etc.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-23-2016 05:30 AM

should sourcetypes be DEF* in the 2nd search? ...

should both searches provided by combined together, or are they examples of you trying to combine 2 searches together?

I ask because they are the same exact search only in the 2nd one you eval Platform="DEF" at the very end.

Also, would be great if you provided example data.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...